An organization has an internal PKI that utilizes client certificates on each workstation. When
deploying a new wireless network, the security engineer has asked that the new network
authenticate clients by utilizes the existing client certificates. Which of the following authentication
mechanisms should be utilized to meet this goal?
A.
EAP-FAST
B.
LEAP
C.
PEAP
D.
EAP-TLS
Only EAP-TLS uses certificates. PEAP would use certificates if it’s merged with EAP-TLS
0
0
EAP-FAST (Extensible Authentication Protocol – Flexible Authentication via Secure Tunneling) is an Extensible Authentication Protocol (EAP) developed by Cisco. It is used in wireless networks and point-to-point connections to perform session authentication. Its purpose is to replace the Lightweight Extensible Authentication Protocol (LEAP). It does not make use of TLS, but PAC (Protected Access Credentials).
The Lightweight Extensible Authentication Protocol (LEAP) is a proprietary wireless LAN authentication method developed by Cisco Systems. Important features of LEAP are dynamic WEP keys and mutual authentication (between a wireless client and a RADIUS server). LEAP allows for clients to reauthenticate frequently; upon each successful authentication, the clients acquire a new WEP key (with the hope that the WEP keys don’t live long enough to be cracked). LEAP may be configured to use TKIP instead of dynamic WEP.
PEAP (Protected Extensible Authentication Protocol) fully encapsulates EAP and is designed to work within a TLS (Transport Layer Security) tunnel that may be encrypted but is authenticated.
Authenticated wireless access design based on Extensible Authentication Protocol – Transport Level Security (EAP-TLS) can use either smart cards or user and computer certificates to authenticate wireless access clients. EAP-TLS does not use usernames and passwords for authentication. EAP-TLS uses the handshake protocol in TLS, not its encryption method. Client and server authenticate each other using digital certificates. Client generates a pre-master secret key by encrypting a random number with the server’s public key and sends it to the server. Both client and server use the pre-master to generate the same secret key. It offers a good deal of security, since TLS is considered the successor of the SSL standard. It uses PKI to secure communication to the RADIUS authentication server.
D is correct.
0
0
I chose D
■ EAP-TLS: This version uses Transport Layer Security, which is a certificatebased
system that does enable mutual authentication. This does not work well
in enterprise scenarios because certificates must be configured or managed on
the client side and server side.
0
0